0

NHS loses unencrypted USB stick

Posted on October 4, 2011 by Nick Lowe

A report from the Surrey and Sussex Healthcare NHS Trust in the UK has revealed that East Surrey Hospital lost the details of 800 patients in September 2010 but failed to notify any of the affected patients*. The Trust’s 2010/2011 annual report stated that the lost information had been held on an unencrypted memory stick, and included the names, dates of births and operation details of each patient.  The report also revealed a further nine “near misses” whereby information was lost but later recovered.

It’s a worrying situation when it is no longer surprising to see an NHS data breach with a lost, unencrypted USB stick at the heart of it.  Such devices – which have proven to be consistently vulnerable to loss, theft and poor security practices – must be retired.  Technology has moved on, and so should organisations looking to transfer information securely.  Only by using modern Secure File Transfer solutions can organisations be sure that their data is protected at all times, and only accessible by the intended recipient.

It’s also hugely disappointing to see that the Surrey and Sussex Healthcare Trust failed to notify the individuals affected by the data breach.  The Trust has an obligation to protect the personal information of those in its care properly, however, revelations of the poor data security and failure to notify, indicate that there are some serious flaws in its current approach.

It’s unclear just how many more of these incidents are needed before lessons are learned and changes made, but this data breach, along with the nine “near misses” mentioned in the report, will do little to inspire public faith in the NHS.

*Full Article

0

Privileged Conversations at RSA: From the Cloud to the White House

Posted on March 3, 2011 by Adam Bosnian

RSA 2011As it has every year since its inception, the RSA Conference drew a large number of security vendors, researchers, professionals and insiders of all stripes. Not surprisingly, cloud security emerged as one of the most popular themes addressed throughout the conference, partly due to the buzz and anticipation surrounding The Cloud Security Alliance Summit. That said, while the security of the cloud and other virtual environments were certainly focal points for this year’s show, several other important themes, issues and opportunities were addressed that also challenged the notion of status quo security.

As part of the mission of “Privileged Insights,” we are especially intrigued by topics that address the overarching sophistication and evolution of security threats, particularly the exploitation of privileged accounts and identities to access sensitive information. So while the CSM Summit attracted a lot of attention, and Chris Hoff, Director of Cloud and Virtualized Solutions for Cisco, delivered an insightful presentation that illuminated the importance of transparency between cloud providers and customers, it was Salesforce.com CEO Mark Benioff and Chief Trust Officer Jim Cavalieri who added a different twist to the cloud security picture—it’s not just the cloud, it’s the provider’s infrastructure that we need to worry about. Obviously, this is something that resonates well with IT security professionals.

When we examine the infrastructure of a provider’s data center, it’s realistic to expect that it could contain hundreds or thousands of servers, databases, workloads, applications, services and network devices (among other components), all exposing access points for management and control. Some of these access points are extremely powerful (i.e. privileged) while others are not.  Regardless, access points should be accessed only by authorized sources. Cyber criminals understand the potential of these networks of privileged access points and by leveraging these vulnerabilities they have transformed the cyber crime frontier, as seen with many of the recent APT attacks, such as Stuxnet.

As Symantec pointed out in their presentation, the best approach to combat Stuxnet and similar attacks is a coordinated one focused on policy, protection and monitoring controls—all central tenets of privileged identity management.

Similar takeaways were found elsewhere at RSA that justify the importance of employing “privileged insights” to security intelligence.  White House CIO Vivek Kundra explained some of the rationale behind the federal government’s increasing utilization of the cloud, including the importance of continuous monitoring.  Cyber-Ark believes for continuous monitoring efforts to be effective, they must be properly automated by privileged session management solutions. Elsewhere, the CSA officially announced the launch of a new working group, CloudSIRT – cloud security incident and response. Interestingly, a recent survey conducted by CloudSIRT found that privileged user threats were one of the main vulnerabilities recognized by cloud adopters.

The list could go on, but we’re curious, where else did you hear insightful discussions about the power of privilege at RSA?  From our perspective, it seems the discussion is now less about  the education of privileged identity management technology, it’s now evolved to a need to better understand the emerging security and compliance challenges that it can proactively help solve. Do you agree?

0

RELEASING GRIP ON EMAILS COULD BOOST PRODUCTIVITY IN PUBLIC SECTOR

Posted on February 11, 2011 by Josh Arrington

Inboxes can always be difficult to manage – filing message after message, flagging and categorising – but many organisations are still really struggling to deal with large attachments, often finding that they clog up email exchanges and slow staff down.

Indeed, Virgin Media Business has just conducted some research* and found that 69 percent of public sector workers in the UK cannot send or receive emails larger than 10 MB in size, and 89 percent are unable to send or receive emails in excess of 15 MB.  Clearly these limitations can be hugely inhibiting for staff – preventing them from sharing large files and getting the most out of the resources at hand.

Such restrictions are clearly out of date, with more information than ever flowing between staff and companies, most often via email.  In order to enhance productivity, organisations should be looking at ways to enable staff to share large files in a quick, simple and secure way.  For example, with a secure file transfer solution that takes sensitive documents out of the email exchange – delivering access to the files through a secure link – employees can enjoy a far quicker and less congested inbox.

With this clear benefit, workers stop seeing security processes as a hindrance to their performance, but rather as an enabler to better business practices.

View Full Article

2

With Privileged Insights Emerges Security Intelligence: Preparing for the Unexpected

Posted on January 25, 2011 by Udi Mokady

By Udi Mokady, CEO, Cyber-Ark
Cyber-Ark Software believes 2011 will be a significant year for the security industry.  One marked by
transformation – both in terms of increasingly sophisticated threats and encouraging technology
innovation.  Behind these changes are converging market factors such as the challenges facing
organizations that must protect against more targeted, persistent and sophisticated attacks, including
those related to Stuxnet and Wikileaks-type incidents; easing economic pressures driving new
infrastructure investments, particularly virtualization and cloud computing; and evolving internal audit
pressures and compliance requirements, such as PCI. To address these market factors, Cyber-Ark has
launched the “Privileged Insights” blog.

With our global reach, Cyber-Ark is in a fortunate position to be able to draw upon our experiences,
and those of our partners and customers, to share real-world examples of how unexpected
vulnerabilities, such as hard-coded passwords in a video conferencing system, digital copier or storage
device, can impact the overall security posture of an organization.  No longer are threats limited to
insiders and expected targets like databases and servers—we must think about the unexpected.  That
will be one of the goals of this blog, generating industry dialogue and empowering people with the
information they need to proactively manage unexpected threats by elevating awareness about the
risks of status quo security, and the need for innovation and new IT skill sets.

Cyber-Ark closed 2010 with 800 customers in more than 50 countries and strong revenues that are
driving tremendous momentum into the new year, including providing customers with proactive
security solutions for increasingly distributed architectures.  In speaking with our customers, we
understand that, particularly at the C-Level, there remains hesitation about cloud adoption due to
multiple factors including security uncertainties and the sense of a “loss of control.”  Cyber-Ark
recently produced a fun, informative video [included in this post] aimed at describing how Cyber-Ark
can help address key security issues in a cloud environment, whether you are a cloud service customer
or a cloud service provider.

Even with the growing complexity and fragmentation of the IT security space, we are optimistic about
the year to come.  Cyber-Ark is extremely well-positioned in the privileged Account Activity
Management space, one of the fastest growing segments within the identity and access management
market.  And with innovative offerings for governed file transfer, we continue to empower multi-
national organizations to initiate new business models and address their most daunting security
challenges related to how information is accessed, shared, monitored and managed.  We look forward
to sharing our stories and participating in thought-provoking discussions about the expanding threat
landscape.  And – stay tuned for more announcements coming from Cyber-Ark this year.

How do you see enterprise cloud adoption and security in the cloud evolving this year?